The CIO’s guide to the breadth and depth of GDPR.
The right to privacy is a long-standing concept that goes back to English Common Law. The Castle Doctrine gives us the familiar phrase, “A man’s home is his castle.” The castle can be generalized as any site that’s private and shouldn’t be accessible without permission of the owner. The idea of privacy quickly expanded to include recognition of a person’s spiritual nature, feelings, and intellect. It’s the right to be left alone.
The European Union (EU) General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC to strengthen and unify data protection for individuals within the EU and address the export of personal data outside the EU. The EU parliament passed the Regulation—after four years of debate—on April 14, 2016, with an effective date of May 25, 2018.
Modern U.S. tort law
There are four categories of modern tort law in which the concept of “invasion of privacy” is used in legal pleadings. These four concepts are remarkably similar to the revisions of GDPR:
- Intrusion of solitude: intrusion into one’s private quarters
- Public disclosure of private facts: the dissemination of truthful, private information
- False light: the publication of facts that place a person in a false light
- Appropriation: the unauthorized use of a person’s name or likeness
The intrusion of solitude refers to a person intentionally intruding—either physically or electronically—into the private space of another. Typical examples include hacking into someone else’s email or setting up a video camera to secretly view a person unknowingly.
The public disclosure of private facts is an act of publishing information that wasn’t meant for public consumption. This concept is different than libel or slander, where truth isn’t a defense for invasion of privacy.
False light specifically refers to the tort of defamation. Communication of false statements or information that hart the reputation of an individual person, business, product, group, government, religion, or nation all fall within this definition.
Appropriation of name or likeness prevents—often at a state level—the use of a person’s name or image, without consent, for the commercial benefit of another person. This protects a person’s name from commercialization in a similar fashion to how a trademark action protects a trademark.
Modern tort law extends beyond the protection of the individual. However, there’s one grey area: how information is shared. GDPR directly addresses the need to protect personal information, outside the borders of a country, for the safety of its citizens.
The threat is here
There were 1,579 data breaches and over 179 million records exposed in 2017 according to the Identity Theft Resource Center’s 2017 year-end report—a dramatic 44.7 percent increase over 2016 data breaches. The breaches and records lost were spread across industries:
- Banking: 134 breaches, 3.1 million records
- Business: 870 breaches, 163 million records
- Education: 127 breaches, 1.4 million records
- Government: 74 breaches, 6 million records
- Healthcare: 374 breaches, 5 million records
The threat to citizens’ privacy isn’t coming. This threat has already arrived.
GDPR policy in a data-driven world
Since the original 1995 directive, GDPR has established key principles that govern data usage, storage, and dissemination. The Regulation expands four core areas:
- Territorial scope: this extends the jurisdiction of GDPR to all companies processing the personal data of subjects residing in the EU
- Penalties: an organization can be fined up to 4 percent of annual global turnover or €20 Million (whichever is greater)
- Consent: long, complex terms and conditions and data requests must be intelligible
- Data-subject rights: breach notification, right to access, right to be forgotten, data portability, privacy by design, and data-protection officers (DPOs) have been clarified, often increasing the scope of GDPR
Territorial scope states that if the data includes subjects from the EU, the company must comply with the Regulation. This area also clarified the processing of personal data by controllers or processes—regardless of whether the data processing happens in the EU. If EU personal data is touched, your organization is impacted. The penalties are severe, and companies are taking notice. In addition to the 4 percent penalty, there’s a tiered approach to fine companies’ 2 percent for not having their records in order (EU article 28). Additionally, not fully and promptly notifying the supervising authority of a data breach will be costly. It’s interesting to note that the “controllers and processors” make it clear that cloud and SaaS providers aren’t exempt from GDPR enforcement. Consent, although previously technically available, was often buried within unintelligible terms and conditions. Consent now must be in clear and plain language, including easy-to-grant or withdraw consent.
The data-subject rights cover six areas in more depth:
- Breach notification: inform the supervising authority within 72 hours of the breach
- Right to access: notify individuals if their personal information is being processed and for what purpose
- Right to be forgotten: withdraw consent and erase all data traces (EU article 17)
- Data portability: provide data in common-use and machine-readable form
- Privacy by design: design data protections into systems—versus a system addition
- Data-protection officers: appointment of DPOs is mandatory for processing operations that require regular and systematic monitoring of data-subjects
Processing and using personal data
These onerous obligations replace the old Directive and apply to all twenty-eight Member States of the EU—from the UK to Estonia. GDPR encourages companies to re-examine organizational policies, standards, guidelines, procedures, and processes.
As your organization assesses GDPR impact, there are 10 questions to keep in mind:
- How does expanded territorial reach impact your customers, providers, and partners?
- Do you have sufficient DPOs in place with the appropriate programs?
- Are data accountability and privacy included in the business process and system design?
- Are the tasks of data processors defined into organizational roles with appropriate accountability and responsibilities?
- Has your organization revisited corporate policies and procedures while taking into consideration the broad-reaching scope of GDPR?
- Is consent to access the array of products, services, and interactions written in clear and plain language?
- Do customers understand how to clearly grant or withdraw consent?
- Have risk assessments been performed to quantify the economic and financial risk or non-compliance that could result in fines?
- Is the process for data-breach notification streamlined to ensure compliance within the 72-hour guideline?
- Does the organization have clear guidelines on the definition of a “serious” breach?
Companies have a lot to do before GDPR becomes effective on May 25, 2018. Stay on top of the latest GDPR developments by following the Article 29 Data Protection Working Party (WP29). This working group is an independent European Union Advisory Body on Data Protection and Privacy and includes representatives from each of the EU member states. Together, we can improve how big data is processed while limiting the financial risk to our organizations.